loading
loading
Scanners
High-performance scanner for the MongoBleed MongoDB memory disclosure flaw.
overview
mongobleed checks MongoDB hosts for CVE-2025-14847, a memory disclosure flaw triggered by malformed OP_COMPRESSED packets. It sends crafted requests against each target, watches for leaked memory in the response, and flags hosts that bleed data. The implementation follows Joe Desimone's published exploit technique.
It is built for scale. Feed it a file of targets in any of several forms, host, host:port, an http or https URL, or a mongodb URI, and run hundreds of connections in parallel. Quiet mode reports only vulnerable hosts, while verbose mode prints samples of the leaked data so you can confirm the finding rather than trust a status flag alone.
In a Trickest Scanners workflow, mongobleed takes a target file and writes a file and a folder of results. Place it after port discovery so it tests only hosts already known to expose MongoDB, keeping the scan focused and the output easy to triage.
source github.com/trickest
use cases
Run mongobleed against hosts found listening on MongoDB ports to confirm which ones leak memory through the OP_COMPRESSED flaw.
Raise --concurrency to scan hundreds of hosts at once and use --quiet so the output lists only the vulnerable targets that need action.
Enable --verbose to print samples of the disclosed memory, turning a yes/no result into evidence you can include in a report.
Feed mongobleed the MongoDB hosts from naabu or masscan so the vulnerability check only touches services already confirmed open.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| input | FILE | --input | File of targets, one per line; supports host, host:port, http(s)://host:port, and mongodb://host:port. |
| concurrency | STRING | --concurrency | Number of concurrent connections (default 200). |
| timeout | STRING | --timeout | Connection timeout in seconds (default 5). |
| quiet | BOOLEAN | --quiet | Quiet mode, show only vulnerable hosts. |
| verbose | BOOLEAN | --verbose | Verbose output with leaked data samples. |
| doc-len | STRING | --doc-len | BSON document length for the exploit (default 100). |
| buffer-size | STRING | --buffer-size | Inflated buffer size to trigger the leak (default 600). |
| all-results | BOOLEAN | --all-results | Include all results in output, not only vulnerable hosts. |
Showing key inputs. mongobleed exposes 9 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| input | FILE | --input | File containing targets (one per line, supports: host, host:port, http://host:port, https://host:port, mongodb://host:port) |
| quiet | BOOLEAN | --quiet | Quiet mode (only show vulnerable hosts) |
| doc-len | STRING | --doc-len | BSON document length for exploit (default 100) |
| timeout | STRING | --timeout | Connection timeout in seconds (default 5) |
| verbose | BOOLEAN | --verbose | Enable verbose output with leaked data samples |
| no-color | BOOLEAN | --no-color | Disable colored output |
| all-results | BOOLEAN | --all-results | Include all results in output (not only vulnerable) |
| buffer-size | STRING | --buffer-size | Inflated buffer size to trigger leak (default 600) |
| concurrency | STRING | --concurrency | Number of concurrent connections (default 200) |
example
# quiet scan of MongoDB targets for CVE-2025-14847mongobleed --input mongo-hosts.txt --quiet --concurrency 200 --timeout 5198.51.100.10:27017 VULNERABLE203.0.113.25:27017 VULNERABLE192.0.2.40:27017 not vulnerablemongo.dev.example.com:27017 VULNERABLEdb.staging.example.com:27017 not vulnerable198.51.100.88:27017 VULNERABLEapi.example.com:27017 not vulnerableguidance
Use mongobleed when you have MongoDB hosts and need to know which leak memory through CVE-2025-14847. It is a single-flaw scanner, not a discovery tool, so feed it a target list from a port scan and use quiet mode to surface only the vulnerable hits.
Template-driven scanner that covers many CVEs. mongobleed is purpose-built and faster for this one flaw.
Port scanner that finds the MongoDB hosts to feed mongobleed. They run in sequence, not in competition.
Same check applied across larger target sets when you need a wrapper around the core scanner.
faq
related
Find reflected XSS during recon by checking payload reflection.
Fast and customizable subdomain wordlist generator using patterns.
Scans software bills of materials for security vulnerabilities.
Find broken links, missing images, and other dead references within your HTML.
A command-line scanner that finds exposed services, files, and folders through the web root.
A CMS detection and exploitation suite.
A host list feeds naabu to find open MongoDB ports, then mongobleed tests those hosts for CVE-2025-14847 and writes the vulnerable ones as a queryable output.
Facts on this page come from the live Trickest tool library.